Certificates and Certificate Authorities

Certificates

Certificates used by the appliance are public key certificates known as X.509 certificates.
These encryption keys are associated with a specific identity or organization, and they
allow the identity of the certificate holder to be verified. Identity verification is an
important component of ensuring secure communication. Without it, it is possible for even
encrypted communication to be redirected or compromised by an untrustworthy third party.

To help prevent this, the Email Appliance can:

Use certificates signed by an agency known as a trusted certificate authority (CA) to present a verifiable identity to other hosts. This helps ensure secure access to the Email Appliance’s Administrative User Interface and End User Web Quarantine, and enables hosts that support transport layer security (TLS) email encryption to confirm the identity of the Email Appliance when exchanging encrypted email with it.

Be configured to trust additional certificate authorities, by obtaining identifying certificates associated with them. This allows you to expand the range of identities that you would like the Email Appliance to communicate with.

Note

The Email Appliance uses the certificates associated with CA’s only to verify the identify of each CA. While similar to the certificates presented by the Email Appliance to other hosts, they are managed separately, and you should distinguish between them.

The Email Appliance can have up to four certificates at one time, including the default self-signed certificate (see below). Different certificates can be used for different roles, including the Administrative User Interface, the End User Web Quarantine, and TLS email encryption.

Certificates include information such as the hostname they are to be used with, a digital
signature from a certificate authority, a start date, and an expiry date. To be considered
valid, a certificate must:

not yet be expired.

have a digital signature from a trusted certificate authority.

have a hostname associated with it that matches the hostname of the machine that is using the certificate.

Note

If your Email Appliance has several hostnames associated with it, it is important that you ensure the hostname presented to other machines matches your certificate(s) exactly.

By default, the Email Appliance uses what is known as a self-signed certificate. A self-signed certificate is a certificate that has been signed by the creator of a certificate, rather than by a third-party CA. This can be useful for providing encryption functionality when verification of the host’s identity by an external CA is not needed. In this case, the host acts as its own CA. This can be the case when the Email Appliance needs to verify its identity to a limited set of hosts, such as communication within a company, or with business partners.

About Certificate Authorities (CA’s)

Certificate authorities are trusted third parties. They can be root authorities
(i.e. explicitly trusted). They can have identities that can be verified by checking with
other trusted certificate authorities (such as the root authorities). Or you can choose to
designate a CA as trusted (such as an authority within your organization).

The list of trusted certificate authorities included with the Email Appliance is not exhaustive. For example, a new CA may have begun operations recently, but is still considered a trusted certificate authority. This does not mean the Email Appliance will be unable to use unknown CA’s, only that you will need to add them to the Email Appliance’s list of trusted CA’s.

The Email Appliance’s certificate authorities can be managed in the Trusted Certificate Authorities section of the Configuration > Policy > Certificates page.

Note

Sophos maintains a list of trusted certificate authorities for the Email Appliance . You can view, but can not add or delete CA’s from this list . You can manage additional CA’s from the Trusted Certificate Authorities section of the Configuration > Policy > Certificates page.

Example: Exchanging Encrypted Email With A Business Partner

You and a business partner want to exchange encrypted email, and it is important to you
that you can always verify the identity of their mail relays. Since the business partner
rarely uses encrypted email except when exchanging email with you, they do not wish to
purchase a certificate from a commercial vendor. They also would like you to have the
ability send encrypted email to other mail relays they plan to add in the future. By adding
your business partner as a certificate authority, you will be able to verify the identity of
any new mail relay they decide to deploy, provided they have signed the new mail relay’s
certificate.

To add your business partner as a trusted certificate authority:

Obtain a copy of your business partner’s certificate. This must be in Privacy-Enhanced
Mail (PEM) format.

In the Trusted Certificate Authorities section of the Configuration > System > Certificates page, click on Configure. The Trusted
Certificate Authorities dialog box is displayed.

Click on the Locally Managed tab. A list of trusted certificate
authorities is displayed.

Click Add. The Add Certificate Authorities
dialog box is displayed.

In the Description text box, enter a descriptive name for the CA
(your business partner in this example) .

Either paste the CA certificate in the Paste Certificate text
box, or select Import Certificate to import the CA certificate from
a file.

Click OK.

Your business partner is now listed as a Trusted Certificate Authority.

Example: Re-using An Existing Certificate

Your organization has already purchased a certificate from a vendor for a previous mail relay, and now wishes to re-use it for the Email Appliance.

On the Configuration > System > Certificates page, click Add. The Add
certificate dialog is displayed.